amadey

Sharing

Copy URL

Twitter E-mail

General

Target

c972b554a6f179cbb20fa156d1b2fcb2.bin
Size

200KB
Sample

231012-dj8qzsea67
MD5

1d2338ed1babbf6c22db110d415f70de
SHA1

958bb14a1046ae337b7cef84627da418838ceac4
SHA256

d02c8baec91fc664983e03c47b5ff89c670ebdb73f5b36b5021bc22b546880a7
SHA512

3d2d652a33f4a48498305af11e36d540532eb6d1ba8761045d89274428f3f3f8c49568d4e9fb6aa04d393b52624868222acf5272ec648576d0b1af1d3ac576c7
SSDEEP

3072:l+vZnrH4MO4BbScuWLfZOYN/VGY+NjADRrU+l8:lilRlbAqsM/VNmADRI+l8

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

amadey

Version

3.83

http://5.42.65.80/8bmeVwqx/index.php

Attributes

install_dir
207aa4515d
install_file
oneetx.exe
strings_key
3e634dd0840c68ae2ced83c2be7bf0d4

rc4.plain

Extracted

Family

redline

Botnet

pixelscloud

85.209.176.171:80

Extracted

Family

redline

Botnet

@ytlogsbot

185.216.70.238:37515

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Targets

- Target
  
  a8880ab18906a584647a37fe135a26b36b4d32e9ec380cefe2ab773df5b66546.exe
- Size
  
  534KB
- MD5
  
  c972b554a6f179cbb20fa156d1b2fcb2
- SHA1
  
  679711a9719adcd53a340bab8f3be1947109efab
- SHA256
  
  a8880ab18906a584647a37fe135a26b36b4d32e9ec380cefe2ab773df5b66546
- SHA512
  
  ad1bf958ce15058d2f5bda2bd7f34145e7db3caac9d8eb32f6842ec22adbcb415e137d56071b7fbda364eb123e84002ca4b658b8fb25034ed47746a2371ee228
- SSDEEP
  
  6144:M+AUxvdjNgBoHFIZ0YesFZITJuUQnQRmCy9fV:4QNg2FTJuUQn81UV
Score

10^/10

amadey dcrat healer redline sectoprat smokeloader @ytlogsbot kukish pixelscloud backdoor discovery dropper evasion infostealer persistence rat spyware stealer trojan breha
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2